CF Unit-5 by Jithender
81
Computer Forensics Unit-5 Processing Crime and Incident Scenes by Tulasi Jithender
-
Upload
tulasi-jithender -
Category
Documents
-
view
218 -
download
3
Transcript of CF Unit-5 by Jithender
Computer Forensics Unit-5
Processing Crime and Incident Scenes
byTulasi Jithender
• In this unit, we are going to learn how to process a computer investigation scene.
• Collecting computers and processing a criminal or incident scene must be done systematically.
• Most courts have interpreted computer records as hearsay evidence.
Identifying Digital Evidence:• Digital evidence can be any information stored or
transmitted in digital form.
• Courts accept digital evidence as physical evidence, which means that digital data is treated as a tangible object, such as a weapon, paper document, or visible injury, that’s related to a criminal or civil incident.
• Groups such as the Scientific Working Group on Digital Evidence (SWGDE) and the International Organization on Computer Evidence (IOCE) set standards for recovering, preserving, and examining digital evidence.
• Following are the general tasks investigators perform when working with digital evidence:
1. Identify digital information or artifacts that can be used as evidence.
2. Collect, preserve, and document evidence.3. Analyze, identify, and organize evidence.4. Rebuild evidence or repeat a situation to verify
that the results can be reproduced reliably.
An important challenge investigators face today is establishing recognized standards for digital evidence.
Understanding Rules of Evidence:The following are the ones most applicable to computer forensics practice:
1. Business records, including those of a public agency.2. Certain public records and reports.3. Evidence of the absence of a business record or entry.4. Learned treatises used to question an expert witness.5. Statements of the absence of a public record or entry.
• Generally, Computer records are considered admissible if they qualify as a business record.
• Computer records are usually divided into 1. Computer-generated records and 2. Computer-stored records.
3. Computer-generated records are data the system maintains, such as system log files and proxy server logs. They are output generated from a computer process or algorithm, not usually data a person creates.
2. Computer-stored records, however, are electronic data that a person creates and saves on a computer, such as a spreadsheet or word processing document.
• Some records combine computer-generated and computer-stored evidence, such as a spreadsheet containing mathematical operations generated from a person’s input.
• Computer records must also be shown to be authentic and trustworthy to be admitted into evidence.
• Computer-generated records are considered authentic if the program that created the output is functioning correctly.
• To show that computer-stored records are authentic, the person offering the records must demonstrate that a person created the data and the data is reliable and trustworthy—in other words, that it wasn’t altered when it was acquired or afterward.
• Collecting evidence according to the proper steps of evidence control helps ensure that the computer evidence is authentic
• Courts have consistently ruled that computer forensics investigators don’t have to be subject matter experts on the tools they use.
• The court stated, “It is not necessary that the computer programmer testify in order to authenticate computer-generated records.”
• In other words, the witness must have firsthand knowledge only of facts relevant to the case. If you have to testify about your role in acquiring, preserving, and analyzing evidence, you don’t have to know the inner workings of the tools you use, but you should understand their purpose and operation.
• One test to prove that computer-stored records are authentic is to demonstrate that a specific person created the records.
Collecting Evidence in Private-Sector Incident Scenes:• Private-sector organizations include businesses and
government agencies that aren’t involved in law enforcement.
• In the United States, these agencies must comply with state public disclosure and federal Freedom of Information Act (FOIA) laws and make certain documents available as public records.
• The FOIA was originally enacted in the 1960s,
• A special category of private-sector businesses includes ISPs and other communication companies.
• ISPs can investigate computer abuse committed by their employees, but not by customers.
• ISPs and other communication companies now can investigate customers’ activities that are deemed to create an emergency situation.
• Investigating and controlling computer incident scenes in the corporate environment is much easier than in the criminal environment.
• In the private sector, the incident scene is often a workplace, such as a contained office or manufacturing area, where a policy violation is being investigated.
• However, if a company doesn’t display a warning banner or publish a policy stating that it reserves the right to inspect computing assets at will, employees have an expectation of privacy.
• If you discover evidence of a crime during a company policy investigation, first determine whether the incident meets the elements of criminal law.
• If the information you supply is specific enough to meet the criteria for a search warrant, the police are responsible for obtaining a warrant that requests any new evidence.
• Your next step is to work with the corporate attorney to write an affidavit confirming your findings.
Processing Law Enforcement Crime Scenes:• To process a crime scene properly, you must be
familiar with criminal rules of search and seizure.• You should also understand how a search warrant
works and what to do when you process one.• A law enforcement officer can search for and seize
criminal evidence only with probable cause. Probable cause refers to the standard specifying
• whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.
Figure 5-4: Sample search warrant wording for computer evidence.
Preparing for a Search:• Preparing for a computer search and seizure is
probably the most important step in computing investigations.
• The better you prepare, the smoother your investigation will be.
• The following discuss the tasks you should complete before you search for evidence.
1. Identifying the Nature of the Case.2. Identifying the Type of Computing System.3. Determining Whether You Can Seize a Computer.4. Obtaining a Detailed Description of the Location.5. Determining Who Is in Charge.6. Using Additional Technical Expertise.7. Determining the Tools You Need.8. Preparing the Investigation Team.
1. Identifying the Nature of the Case: identifying the nature of the case, includes whether it involves the private or public sector. The nature of the case dictates how you proceed and what types of assets or resources you need to use in the investigation.
2. Identifying the Type of Computing System: Determine the type of computing systems involved in the investigation. For law enforcement, this step might be difficult because the crime scene isn’t controlled. You might not know what kinds of computers were used to commit a crime or how or where they were used.
• If you can identify the computing system, estimate the size of the drive on the suspect’s computer and how many computers you have to process at the scene.
• Also, determine which OSs and hardware might be involved and whether the evidence is located on a Microsoft, Linux, UNIX, Macintosh, or mainframe computer.
• For corporate investigators, configuration management Databases make this step easier.
3. Determining Whether You Can Seize a Computer:
• Generally, the ideal situation for incident or crime scenes is seizing the computers and taking them to your lab for further processing.
• However, the type of case and location of the evidence determine whether you can remove computers from the scene.
• Law enforcement investigators need a warrant to remove computers from a crime scene and transport them to a lab.
• If removing the computers will irreparably harm a business, the computers should not be taken offsite, unless you have disclosed the effect of the seizure to the judge.
• If you aren’t allowed to take the computers to your lab, determine the resources you need to acquire digital evidence and which tools can speed data acquisition. With large drives, such as a 200 GB drive, acquisition times can increase to several hours.
• An additional complication is files stored offsite that are accessed remotely.
4. Obtaining a Detailed Description of the Location: The more information you have about the location of a computer crime, the more efficiently you can gather evidence from a crime scene.
• Some computer cases involve dangerous settings, such as a drug bust or a terrorist attack using biological, chemical, or nuclear contaminants.
• For these types of investigations, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene. The recovery process might include decontaminating computing components needed for the investigation, if possible.
• Ambiguous or incorrect instructions could destroy evidence. Ideally, a computer forensics investigator trained in dealing with HAZMAT environments should acquire drive images.
• In addition, if the temperature in the contaminated room is higher than 80 degrees, you should take measures to avoid damage to the drive from overheating.
5. Determining Who Is in Charge:• Corporate computing investigations usually require
only one person to respond to an incident or crime scene.
• Processing evidence involves acquiring an image of a subject’s drive.
• In law enforcement, many investigations require additional staff to collect all evidence quickly.
• For large-scale investigations, a crime or incident scene leader should be designated.
6. Using Additional Technical Expertise:• After you collect evidence data, determine whether
you need specialized help to process the incident or crime scene.
• For example, suppose you’re assigned to process a crime scene at a data center running Microsoft Windows servers with several RAID drives and high-end UNIX servers.
• If you’re the leader of this investigation, you must identify the additional skills needed to process the crime scene, such as enlisting help with a high-end server OS.
• RAID servers typically process several terabytes of data, and standard imaging tools might not be able to handle these large data sets.
• If you do need to recruit a specialist who’s not an investigator, develop a training program to educate the specialist in proper investigative techniques.
7. Determining the Tools You Need:• After you have gathered as much information as
possible about the incident or crime scene, you can start listing what you need at the scene.
• Being over-prepared is better than being underprepared, especially when you determine that you can’t transfer the computer to your lab for processing.
• Using the right kit makes processing an incident or crime scene much easier and minimizes how much you have to carry from your vehicle to the scene.
• Below figure shows Items in an initial-response field kit
8. Preparing the Investigation Team:• Before you initiate the search and seizure of digital
evidence at an incident or crime scene, you must review all the available facts, plans, and objectives with the investigation team you have assembled.
• The goal of scene processing is to collect and secure digital evidence successfully.
• The better prepared you are, the fewer problems you encounter when you carry out the plan to collect data.
Securing a Computer Incident or Crime Scene:• Investigators secure an incident or crime scene to
preserve the evidence and to keep information about the incident or crime confidential.
• If you’re in charge of securing a computer incident or crime scene, use yellow barrier tape to prevent bystanders from accidentally entering the scene.
• Access to the scene should be restricted to only those people who have a specific reason to be there.
• For major crime scenes, computer investigators aren’t usually responsible for defining a scene’s security perimeter.
• These cases involve other specialists and detectives who are collecting physical evidence and recording the scene.
• Example: Automated Fingerprint Identification Systems (AFIS) computer.
• Always remember that professional curiosity can destroy or corrupt evidence, including digital evidence.
Seizing Digital Evidence at the Scene:• With proper search warrants, law enforcement can
seize all computing systems and peripherals.1. Preparing to Acquire Digital Evidence.2. Processing an Incident or Crime Scene.3. Processing Data Centers with RAID Systems.4. Using a Technical Advisor.5. Documenting Evidence in the Lab.6. Processing and Handling Digital Evidence.
1. Preparing to Acquire Digital Evidence: • The evidence you acquire at the scene depends on
the nature of the case and the alleged crime or violation.
• Seizing peripherals and other media ensures that you leave no necessary system components behind.
• Before you collect digital evidence, ask your supervisor or senior forensics examiner in the organization the following questions:
• Do you need to take the entire computer and all peripherals and media in the immediate area?
• How are you going to protect the computer and media while transporting them to your lab?
• Is the computer powered on when you arrive?• Is it possible the suspect damaged or destroyed the
computer, peripherals, or media?• Will you have to separate the suspect from the
computer?
2. Processing an Incident or Crime Scene: The following guidelines offer suggestions on
how to process an incident or crime scene. Keep a journal to document your activities. Include the date and time you arrive on the
scene, the people you encounter, and notes on every important task you perform. Update the journal as you process the scene.
To secure the scene, make sure that only authorized people can access the area.
Take video and still recordings of the area around the computer.
Make sure nothing in this area, including computer evidence, moves until you have had time to record it.
Be professional and courteous to any curious onlookers, but don’t offer information about the investigation or incident or answer questions.
Refer journalists to a public information officer or the organization’s public relations manager.
When you finish videotaping or photographing the scene, sketch the incident or crime scene. This sketch is usually a rough draft with notes on objects’ dimensions and distances between fixed objects.
Because computer data is volatile, check the state of each computer at the scene as soon as possible. Determine whether the computer is powered on or off or in hibernation or sleep mode.
If you can’t save an open application to external media, save the open application to the suspect drive with a new filename.
After you record the scene and shut down the system, bag and tag the evidence, following these steps:
Assign one person, if possible, to collect and log all evidence. Minimize the number of people handling evidence to ensure its integrity.
Tag all the evidence you collect with the current date and time, serial numbers, and model, and name of the person who collected it.
Maintain two separate logs of collected evidence for audit control & to verify everything you have collected.
Maintain constant control of the collected evidence and the crime or incident scene.
• To complete your analysis and processing of a scene, collect all documentation and media related to the investigation, including the following material:
Hardware, including peripheral devices.Software, including OSs and applications.All media, such as backup tapes and disks.All documentation, manuals, printouts, and
handwritten notes.
3. Processing Data Centers with RAID Systems:• Computer investigators sometimes perform
forensics analysis on RAID systems or server farms, which are rooms filled with extremely large disk systems.
• One technique for extracting evidence from large systems is called sparse acquisition. This technique extracts only data related to evidence for your case from allocated files and minimizes how much data you need to analyze.
• A drawback of this technique is that it doesn’t recover data in free or slack space.
4. Use a Technical Advisor :• When working with advanced technologies, recruit
a technical advisor who can help you list the tools you need to process the incident or crime scene.
• Technical advisors have the following responsibilities: Know all aspects of the system being seized and
searched. Direct investigators on how to handle sensitive media
and systems to prevent damage.Help ensure security of the scene.Help document the planning strategy for the search
and seizure.Conduct ad hoc training for investigators on the
technologies and components being seized and searched.
Document activities during the search and seizure.Help conduct the search and seizure.
5. Documenting Evidence in the Lab• After you collect digital evidence at the scene, you
transport it to a forensics lab, which should be a controlled environment that ensures the security and integrity of digital evidence.
• In any investigative work, be sure to record your activities and findings as you work.
• Besides verifying your work, a journal serves as a reference that documents the methods you used to process digital evidence. You and others can use it for training and guidance on other investigations.
6. Processing and Handling Digital Evidence:• You must maintain the integrity of digital evidence in
the lab as you do when collecting it in the field. Your first task is to preserve the disk data.
• If you have a suspect computer that hasn’t been copied with an imaging tool, you must create a copy.
• When you do, be sure to make the suspect drive read-only, and document this step.
• If the disk has been copied with an imaging tool, you must preserve the image files.
• With most imaging tools, you can create smaller, compressed volume sets to make archiving your data easier.
Storing Digital Evidence:• With digital evidence, you need to consider how
and on what type of media to save it and what type of storage device is recommended to secure it.
• If you investigate criminal matters, store the evidence as long as you can.
• The ideal media on which to store digital data are CDRs or DVDs.
• These media have long lives, but copying data to them takes a long time.
• Older CDs had lives up to five years.
• Today’s larger drives demand more storage capacity i.e 200 GB drives are common, and DVDs can store up to only 17 GB of data.
• You can also use magnetic tape to preserve evidence data.
• The 4-mm DAT magnetic tapes store between 40 to 72 GB or more of data, but like CD-Rs, they are slow at reading and writing data.
• However, don’t rely on one media storage method to preserve your evidence—be sure to make two copies of every image to prevent data loss.
• Also, if practical, use different tools to create the two images.
• If a 30-year lifespan for data storage is acceptable for your digital evidence, older DLT magnetic tape cartridge systems are a good choice.
Evidence Retention and Media Storage Needs:• When your lab is open for operations, authorized
personnel must keep these areas under constant supervision. When your lab is closed, at least two security workers should guard evidence storage cabinets and lab facilities.
• As a good security practice, most labs use a manual log system that an authorized technician maintains when an evidence storage container is opened and closed.
• These logs should be maintained for a period based on legal requirements.
• Make the logs available for management to inspect.
A sample log file
Documenting Evidence:• To document evidence, create or use an evidence
custody form.• Because of constant changes in technologies and
methods for acquiring data, create an electronic evidence custody form that you can modify as needed.
• An evidence custody form serves the following functions:- Identifies the evidence.
- Identifies who has handled the evidence. - Lists dates & times the evidence was
handled
• After you have established these pieces of information, you can add others to your form, such as a section listing MD5 and SHA-1 hash values.
• Include any detailed information you might need to reference.
• Evidence bags also include labels or evidence forms you can use to document your evidence.
Obtaining a Digital Hash:• To verify data integrity, different methods of
obtaining a unique identity for file data have been developed.
• One of the first methods, the Cyclic Redundancy Check (CRC) is a mathematical algorithm that determines whether a file’s contents have changed. The most recent version is CRC-32.
• CRC, however, is not considered a forensic hashing algorithm.
• The first algorithm for computer forensics use was Message Digest 5 (MD5).
• Like CRC, MD5 is a mathematical formula that translates a file into a hexadecimal code value, or a hash value.
• If a bit or byte in the file changes, it alters the hash value, a unique hexadecimal value that identifies a file or drive.
• There are three rules for forensic hashes:1. You can’t predict the hash value of a file or device.2. No two hash values can be the same. 3. If anything changes in the file or device, the hash
value must change.
• A newer hashing algorithm is Secure Hash Algorithm version 1 (SHA-1), developed by the NIST.
• SHA-1 is slowly replacing MD5 and CRC-32, although MD5 is still widely used.
Reviewing a Case:• The following are the general tasks you perform in
any computer forensics case:1. Identify the case requirements.2. Plan your investigation.3. Conduct the investigation.4. Complete the case report.5. Critique the case.
• The following sections give you an example of civil and criminal investigations, and then you review how to perform some of these general tasks.
• Sample Civil Investigation: (Example e-mail of two companies)
• Sample Criminal Investigation: (Search warrant)
Example for Sample Criminal Investigation
• For covert surveillance, you set up monitoring tools that record a suspect’s activity in real time.
• Real-time surveillance requires sniffing data transmissions between a suspect’s computer and a network server.
• Sniffing software allows network administrators and others to determine what data is being transmitted over the network.
• Other data-collecting tools (called keylogger programs) are screen capture programs that collect most or all screens and keystrokes on a suspect’s computer.
• Most of these tools run on Windows and usually collect data through remote network connections.
• The tools are hidden or disguised as other programs in Windows Task Manager and process logs.
Review Questions:1. Corporate investigations are typically easier than
law enforcement investigations for which of the following reasons?
a. Most companies keep inventory databases of all hardware and software used.
b. The investigator doesn’t have to get a warrant.c. The investigator has to get a warrant.d. Users can load whatever they want on their
machines.
2. In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a corporate investigator can conduct covert surveillance on an employee with little cause.
True or False?
3. If you discover a criminal act, such as murder, while investigating a corporate policy abuse, the case becomes a criminal investigation and should be referred to law enforcement.
True or False?
4. The plain view doctrine in computer searches is well-established law.
True or False?
5. If a suspect computer is located in an area that might have toxic chemicals, you must do which of the following?
a. Coordinate with the HAZMAT team.b. Determine a way to obtain the suspect computer.c. Assume the suspect computer is contaminated.d. Do not enter alone.
6. What are the three rules for a forensic hash ?
7. In forensic hashes, a collision occurs when ________________________________.
8. List three items that should be in an initial-response field kit.
9. Computer peripherals or attachments can contain DNA evidence. True or False?
10. If a suspect computer is running Windows 2000, which of the following can you perform safely?
a. Browsing open applications.b. Disconnecting power.c. Either of the above.d. None of the above.
11. what should be videotaped or sketched at a computer crime scene ?
12.Which of the following techniques might be used in covert surveillance?
a. Keylogging.b. Data sniffing.c. Network logs.
13. List two hashing algorithms commonly used for forensic purposes ?
14.Small companies rarely need investigators. True or False?
15. If a company doesn’t distribute a computing use policy stating an employer’s right to inspect employees’ computers freely, including e-mail and Web use, employees have an expectation of privacy. True or False?
16. You should always answer questions from onlookers at a crime scene. True or False?
I AM NOT TRYING TO TEACH SOMETHING., I AM JUST TRYING TO
MAKE YOU THINK-----From an unknown source -------
